There is no such thing as DNS-over-https.
They are entirely different protocols.

EDIT: well, looking over the IETF draft of this new "perform a host name lookup on a remote server over an https connection" mechanism (DOH), I can see this having been born from paranoia and/or the desire for people to try and cover their tracks. I shall henceforth call it "D'oh!"

I don't understand how Mozilla in their commit message can state it's more efficient. There is nothing more efficient than performing a one-shot-one-response UDP request to a DNS server. Setting up an HTTPS connection is expensive, slow, and not efficient at all. What are they thinking?

This kind of tunneling over http of other protocols is further undermining the wide array of protocols in use on the internet. If you don't trust the local network, and you need a server anyway to tunnel through, you may as well use a VPN and cover everything in one go instead of coming up with all sorts of proprietary mechanisms to "work around using one protocol instead of multiple". If you suffer from DNS poisoning, then pick better resolvers to use.

I don't see a reason to implement this at this time. https is not meant to be used an an encapsulation protocol, despite people doing so.

Last edited by Moonchild on 2018-03-22, 17:54, edited 4 times in total.

"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose

Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.

Paleist wrote:Well, this will prevent DNS poisoning and spoofing. It also prevents censorship via DNS injection or hijacking. That aside, DOH seems to become the new standard later this year. Not having what most use might provide a toehold for tracking.

It won't prevent poisoning, because you're still using a resolver which you implicitly trust that is operated by someone else, that can just as easily be subject to poisoning attacks.
Same for spoofing.
Same for hijacking and censorship.
Also, if you do your own lookups instead of deferring, we have all these wonderful mitigation and verification technologies already in place on regular DNS traffic like DNSSEC, DANE, and what not.

And as for tracking? You're centralizing all of browsers' DNS traffic to one server. You want a tracking tap? That central server is a perfect location.

DNS is meant to be a decentralized protocol. Let's keep it that way.

D'Oh! doesn't solve anything except the situation where you're not trusting a local network that enforces its own DNS servers -- as said in that case you'd be better off tunneling out for all of your traffic anyway.

"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose